Maintenance May 21st

The server center where the gitorious.org servers are located is being reorganized. From 1AM CET,  Tuesday May 21st, all gitorious.org services will be down for approximately 2 hours while the servers are relocated. This time is  night time European time, and evening time in the Americas, but we apologize for any inconveniences caused by this maintenance window.

Gitorious is featured on the GitMinutes podcast

GitMinutes is a fairly new podcast about Git, with weekly episodes featuring interviews with people doing all kinds of things with Git. This podcast is a great way to keep track of what’s happening in the Git community.

I’m in this week’s episode, talking about Gitorious and Git infrastructure. I had a great time chatting with Thomas from GitMinutes, and you’ll find the current episode here.

An update about Gitorious v3.0

When we merged the Rails 3 branch into next back in January it was our intention that this would become Gitorious 3.0, with few user-visible features. Our plan was to ship 3.1 shortly after, including the new code browser we started working on last year.

The upgrade to rails 3 was done mainly to enable us to run the code browser asynchronously, and we have put a lot of effort into making it possible to run an asynchronous web server alongside the Gitorious Rails application. Despite these efforts we were never able to get the stability we need with this setup. To make matters worse, the speed benefits from running asynchronously haven’t been as big as we had hoped. Because of this we have decided to make some changes to our plans:

Gitorious 3 will include the new code browser

We felt that shipping a new major without any major user-facing changes doesn’t make any sense. Since the updated code browser is so close to being merged, we’ll wait with tagging the 3.0 version until the new code browser has been merged into the next branch. We feel it’s worth waiting for:

New Gitorious UI sketch - syntax highlighting

The code browser in Gitorious 3 will not be asynchronous

We will change the code browser so it no longer runs asynchronously; rather it will be a Rack application running inside Gitorious. The git repository access is still done using libgit2/rugged, which gives great speed and stability gains, and we will finally get proper syntax highlighting courtesy of Pygments.

We hope to tag Gitorious 3.0 before the end of April, and will deploy it to gitorious.org as soon as it’s been tagged. It will feature:

  • Rails 3.2
  • Partial new UI
  • Significantly improved repository browser (Dolt)
  • New syntax highlighting, along with support for vast numbers of new languages
  • Readme-rendering for repositories
  • A JSON/HTTP based API, more details soon!
  • Ruby 1.9 support

Shortly after 3.0 lands we will keep working on propagating the UI upgrade to other parts of the application.

Gitorious v2.4.12 is released (security update)

Three new vulnerabilities have been fixed for Ruby on Rails, on which Gitorious is built. Read the original Ruby on Rails sec-list announcements for further details.

The steps for upgrading are, as usual (from within the root gitorious clone/source directory):

git fetch --tags

git merge v2.4.12

git submodule update --init

bundle install

We advise all users running their own Gitorious servers to upgrade immediately. Note that the Gitorious Community Edition installer has also been updated to install v2.4.12 now.

Gitorious v2.4.10 has been released

 

As a refreshing change from the security-related versions of Gitorious over the last weeks, we’re glad to announce that version 2.4.10 of Gitorious was just released. This release contains fixes several bugs in Gitorious, among these:

  • Fix broken pushes with sync messaging adapter
  • Fix layout for global system message
  • Fix mass-assignment related bugs
  • Include repositories in Project XML output
  • Fix broken User avatar upload
  • Finally fix the double merge request versions
  • Make bin/bundle work when bundle needs update(s)

Furthermore, you may place global git hooks on a location specified in gitorious.yml.

The steps for upgrading are, as usual:

  • git fetch origin
  • git merge v2.4.10
  • git submodule update
  • bundle install
  • touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

Happy upgrades!

Gitorious went down this morning

Our frontend web server went down at 6:24CET this morning, we will be updating this post as we bring the server back up. Here’s what we know right now:

  • At 6:24 CET a Kernel oops occured. The alarms at our hosting provider went off, and the server was booted. 
  • Since the file system keeping the repositories hasn’t had a full consistency check since August 2012 a fsck was started
  • When fsck hadn’t completed at 8:00 CET, the server was routinely rebooted, and another fsck process was started at 8:04 CET
  • The last time we ran a full fsck on the file system, it took about 2.5 hours. Since then, however, we have installed dedicated storage for our servers, and this has higher IO capacity than the one we were running from in August last year.
  • 10:06 CET: The server is back up. We will upgrade the kernel and do another reboot, hopefully the kernel issue we encountered earlier today has been resolved. Expect a few minutes downtime in a few minutes
  • 10:13 CET: All systems are running again, with an updated kernel

Improved and updated the Gitorious CE Installer (v2.4.9)

We’ve closed a number of recent security issues related to Ruby and Rails (which Gitorious depends on). The Community Edition Installer has lagged behind a bit but is, as of today, upgraded to install the latest version of Gitorious (v2.4.9). The update also includes our current recommended default settings plus some improvements to the installer itself.

Short story: following the steps outlined at http://getgitorious.com/installer on a fresh CentOS 6 server will ensure that you end up with the latest version of Gitorious installed.

Already running on an older version of Gitorious and need to upgrade? Follow the standard installation procedure outlined here.

Please let us know if you run into any issues with the installer: the Gitorious team can be reached at support@gitorious.org

Changelog for the installer:

Update to Gitorious v2.4.9 & improve installer

Brings the installer up to Gitorious v2.4.9, uses the current most
sensible default settings for that version, fixes recent Rails and
Ruby-related security issues and improves the installer itself.

Breakdown:

- Using resque instead of ActiveMq

- Using nginx+unicorn instead of apache+passenger

- Use latest version of Gitorious

- Includes fixes for recent Ruby/Rails security issues

- Using thinking sphinx instead of ultrasphinx

- Installer no longer nukes existing Ruby/Rubygems

- Installer logs puppet operations

- More robust puppet apply operation

- Truly random generated db/rails passwords

- Only create random db password on first run

- Remove unneeded git proxy, use git daemon directly

2.4.9 fixes regression in 2.4.8

I inadvertently broke creating new projects with yesterday’s 2.4.8 release. I have deployed a fix on gitorious.org, and just tagged 2.4.9. 2.4.9 also addresses a bug in Gitorious’ log graph visualization.

We made some sweeping changes yesterday, by changing attr_protected (which was the recent target of a Rails vulnerability) to attr_accessible – basically changing from black-listing to white-listing in what parameters can be posted to Gitorious and set on DB-backed models. It seems that one case was not covered by automatic tests, and was not discovered immediately.

Sorry for the inconvenience.

To upgrade your Gitorious, follow the regular procedure:

* git fetch origin
* git merge v2.4.9
* git submodule update
* bin/bundle install
* bin/rake assets:clear
* touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

Gitorious v2.4.8 is released

Three new vulnerabilities have been fixed for Ruby on Rails, on which Gitorious is built. Read the original announcements for further details. All users running their own Gitorious servers should upgrade immediately.

The steps for upgrading are, as usual:

  • git fetch origin
  • git merge v2.4.8
  • git submodule update
  • bundle install
  • touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

If you’re running on the next branch, that has been updated as well. Just pull from mainline, then restart your server, and you’re all set.

You will note that the advisory and the v2.4.8 tag were both signed with our PGP key, as part of the Security Policy described at our security page. By signing release tags and security advisories you can verify that these were in fact issued by the Gitorious team.

Gitorious v2.4.7 was just released

This morning we discovered a vulnerability in Gitorious which made us write this advisory on our mailing list and release version 2.4.7 of Gitorious. All users running their own Gitorious servers should upgrade immediately.

The steps for upgrading are, as usual:

  • git fetch origin
  • git merge v2.4.7
  • git submodule update
  • bundle install
  • touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

If you’re running on the next branch, that has been updated as well. Just pull from mainline, then restart your server, and you’re all set.

You will note that the advisory and the v2.4.7 tag were both signed with our PGP key, as part of the Security Policy described at our security page. By signing release tags and security advisories you can verify that these were in fact issued by the Gitorious team.

Follow

Get every new post delivered to your Inbox.

Join 842 other followers